12

I am a network admin at a high school in South Africa, running on a Microsoft network. We have approximately 150 PCs around the campus, of which at least 130 are wired to the network. The remaining are staff laptops. All IP addresses are assigned using a DHCP server.

Currently, our wi-fi access is limited to a few locations where those staff are located. We're using WPA with a long key which is not made available to students. To my knowledge, this key is safe.

It would make more sense, however, to use RADIUS authentication but I have some questions about how it works in practice.

  1. Will machines that are added to the domain authenticate automatically to the wi-fi network? Or is it user-based? Can it be both?
  2. Will devices like a PSP / iPod touch / Blackberry / etc / be able to connect to the WiFi network if it uses RADIUS authentication? I would want this to happen.

I do have WAPs that support RADIUS authentication. I would just need to turn the RADIUS functionality on from a MS 2003 Server.

Given the mobile-device requirement, would using a captive-portal be better? I know from experience in airports that it can be done (if the device has a browser).

Which brings me to questions regarding Captive portals:

  1. Can I limit the captive portal to Wi-Fi connected devices only? I don't particularly want to have to set up MAC address exceptions for all existing network machines (in my understanding, it just increases the opportunity for MAC address spoofing).
  2. How is this done? Do I have a separate address range for WiFi access devices and then will the captive portal route between the two networks? It is important to emphasise that the WAPs share a physical network with other machines that are not to be captive-portalled.

Your experience and insight will be appreciated!

Philip

Edit: In order to get a little more clarity on whether a Captive Portal is even feasible, I've asked this question.

Community
  • 1
Philip
  • 630
  • 5
  • 8
  • 18

2 Answers2

6

User authentification for Wifi use 802.1x protocol.
To connect devices need a WPA supplicant such as SecureW2
Depending of the supplicant you use you will or not will be able to use do a SSO with the windows domain login/password.
iPhone and iPod touch have built in WPA supplicant. I don't know for PSP/BB. SecureW2 has a Windows Mobile version.

I'm sure that you could enable a captive portal for WiFi only without having to create to IP Network. You just need to put wireless access in a vlan and wired access in another vlan then put the portal between both vlan. This is like a transparent firewall.

802.1x need to have a supplicant on computers. If computers that need to use the Wifi are known you just have to setup the supplicant on them and it's a great solution. If you want to make your wireless access accessible by visitor or things like that it could be a nightmare because they need the supplicant etc..

A captive portal is a bit less secure and need user to authenticate manually each time they connect. It can be a bit borring.

A good solution from my point of view is too have both. A 802.1x access that give you the same as if you were wired on the lan and a captive portal that give you access to less things (access to internet port 80, limited access to local lan, ...)

radius
  • 9,545
  • 23
  • 45
5

I have a bit of WIFI experience - have done many campus deployments: City of Las Vegas, University of Michigan, various hotels and apartment complexes....

Your clients don't talk directly to a RADIUS server. The AP (Access Point) that is 802.1x capable does this on the client's behalf. In fact, you don't need RADIUS to support a 802.1x implementation.

1. Can I limit the captive portal to Wi-Fi connected devices only? I don't particularly want to have to set up MAC address exceptions for all existing network machines (in my understanding, it just increases the opportunity for MAC address spoofing).

MAC spoofing can only be done after a client associates. So your concern here need not be as one cannot spoof on a WIFI network without association first. You control association via WPA or WPA2 and others...

2. How is this done? Do I have a separate address range for WiFi access devices and then will the captive portal route between the two networks? It is important to emphasise that the WAPs share a physical network with other machines that are not to be captive-portalled.

You can do that but I'm not sure what you hope to achieve? Why do you feel you need to isolate WIFI access from your wired clients? NOTE: VLANS are not a security measure!!!

Your solution depends on what type of APs you have and if they support WPA2. Assuming that they do, what I would do is one of two things in your situation is:

Deploy WPA-PSK and control LAN access through group policies and firewalls. I would also subnet the WIFI "zone" and use router ACLs for any internal filtering you need. NTLM is pretty secure these days. This would be my first approach. If there are reasons you can't do this, you haven't expanded far enough in your original post to say why...

My 2nd approach would then look at 802.1x - this would appear to be overkill for your needs as described but would ease admin for when an employee leaves the company etc... If they turn in their laptops when they leave, then option-1 (WPA-PSK) seems good enough. If you give out the PSK rather than put it in yourself, then this option is preferred -- I guess.

Even if end users somehow share the PSK with outsiders, your LAN end points are still secured via NTLM, ACLs, and firewalls...

Luc
  • 263
  • 2
  • 17
Kilo
  • 1,554
  • 13
  • 21